I have mutual TLS enabled in my Istio installation, and the rule is preventing my services from communicating with each other, specifically my services cannot access my mongo db service that is running on the same cluster in the same namespace. I have implemented the default JWT authentication with no issues, but the apikey authentication causes this issue.

In the configuration, I feel that the match: context.reporter.kind == "inbound" specification should only target inbound services, and not communication between services. Still, it seems that the intra-mesh communication is being affected. Is there a way to configure this rule or otherwise implement this feature while using mTLS in the mesh?

1 Answer

Yes, the attribute names can be confusing. The "context.reporter.kind" is really just filtering between kinds of Mixer traffic from the proxies, so it's not useful in your context. To limit the rule to just applying at ingress, you'll need a rule that looks like this: